Rediff.com« Back to articlePrint this article

Are hotel key cards safe? Well. . .

Last updated on: November 27, 2009 12:57 IST

Many hotels and resorts use electronic key cards. These cards with a magnetic strip are programmed in such a manner that once the duration of the stay is over, the person does not get access to the room.

The key cards make it impossible to pick up a card and break into a room. Electronic door locking systems were introduced across the globe as they help enhance hotel security, but what information does it contain?

Are electronic key cards safe? Well, it could be a threat depending on the details it has stored on it.

"All hotels mention the customer's name, address, room number and duration of stay in the key card. The key card of the hotel has vital information. Some of the hotels and resorts do store personal details -- including credit card number and its expiry date," says Shah Amber, consultant (information security management services), Mahindra Special Services Group.

Agrees, Pramoud Rao, managing director, Zicom Electronic Security Systems, there are many ways the credit cards can be misused in a hotel. There are chances that key cards could be lead to a data theft.

Some of the five-star hotels declined to reveal details of the key card citing security reasons.

"The key card has the code to access a particular room. It does not store any other details, not even the name of the guests," Kanan Udeshi, manager communications, The Oberoi Group, said.

The key card has the name of the guest and the period of stay. Credit card details are recorded separately by the front desk to validate payment. There is also a provision in the system to make the credit card function as an e-key, according to an industry official.

If the electronic key card contains information like the credit card details it can be easily manipulated.

"There has been no data theft reported so far in India, but there are chances as the information remains on the card till it is handed over to another guest. If the credit card number is stored in the key card, when a guest uses other services in the hotel, he can swipe the card, which in turn is aligned to the front desk for billing," says Shah.

"We cannot reveal any details about the key card. We do not disclose any information that could be a threat to our guests," Nikhila Palat, Taj Hotel spokesperson, Mumbai, said.

The key card is not allowed to be taken by the guest and it remains with the hotel when the guest leaves the hotel.

"The details from the card can be accessed by swiping the card in a normal scanning device. There have been cases abroad where the key card details were used to make mock credit cards. Most of the time the customers are not aware of the fact that the key card holds their credit card number," Shah points out.

If some of the employees connive with miscreants they can access all the information by just swiping the card in any scanning device, Shah adds.

However, the All India Credit Card Users Association has not received any complaints. "There has been no case of fraud reported from a key card data theft. The possibility of hotels giving credit card numbers on key cards seems remote," says Vinod Kumar Chand, general secretary, AICCUA.

Meanwhile, Trend Micro, a leading antivirus and Internet content security software and services entity, says on its website that this a hoax and calls it an 'urban legend'.

The firm says that there is a 'rumour circulating via email which alarms the public that hotel key cards contain personal information about the guest that can be put to ill use by malicious hotel personnel who have easy access to it. This hoax erroneously claims that the guest's home address and credit card number are recorded on key cards dispatched by hotels, thus exposing their customers to unauthorised purchases and cash withdrawals made using the sensitive information'.

The company says that although the origin of the email is based on a real investigation effort of a Southern Californian police district, US authorities have ruled out any security risks this controversy may pose. Moreover, hotel owners have clarified that only minimal information about their guests -- like their names, room numbers and arrival/depature data -- are encrypted in the cards they use.

Data theft

Shah Amber explains how data theft can be prevented.

"Internal threat is a big risk factor for companies. Companies must see to it that any data that can be misused should be completely secure. There are all kinds of technologies to secure IT systems," Shah says.

"Companies have hiked IT security budget and have made no compromise on this. Many have changed application security procedures as well. They have learnt how to recoup from the crisis," he adds.

"As for individuals, they must be very careful about data theft with proper anti-virus systems installed in their computers. It should be updated. They must make sure their Wi-Fi is not misused. They must not disclose e-mail id to any unknown site. They must also make sure children do not surf sites and accidentally pass on information," says Shah.

"There are many fake sites which can lure you and many end up giving their passwords as well. So there is a big threat so one must be very careful. To avoid hacking they can secure ports."

Internet has become an open medium so it is exploited by terrorists. But it is not possible to shut down all those sites. One must be very cautious while surfing and sharing information.

Manu A B in Mumbai